EU to Investigate Passport Privacy Concerns

mvdwege writes: "Well, it appears that the old fight between the US and the EU over privacy regulations is about to enter a second round. In response to a letter by a Member of the European Parliament, the Commission has stated that it will start investigating Microsofts possible breach of the EU privacy regulations. The Register has a nice summary."

Obligatory collection of information on users by M

[Anonymous Coward]

Obligatory collection of information on users by Microsoft .NET Passport and measures to protect their privacy

1. Is the Commission aware of Microsoft's free .NET Passport service, which, while consumers are engaged in a purchase, a game, a request or a bank transaction on line, is designed continually to collect their personal information via for instance, an e-mail address (Hotmail), a chat programme (MSN Messenger), a shop (Expedia.com), an auction site (QXL), a community (MSN Communities) or a hotel chain (Hilton.com) and that, as a result, a vast quantity of personal information is surreptitiously passed on to unknown parties by, in particular, Hotmail address owners without their noticing it?

2. Is the Commission also aware that failure to register with .NET Passport results in exclusion from many sites' services, that unsubscribing is not possible, that periodically only out-of-date information is removed and that the passwords to be given (minimum of six characters only) are easily accessible, to some extent, to others posing as system administrators or possessing considerable knowledge of dictionaries?

3. Does the Commission regard it as acceptable that users of public terminals in universities, libraries or Internet cafes who fail to log off correctly may pass on their confidential information to the next user, that to hire software via the Internet (using Microsoft servers instead of a personal hard disk) access is possible only via .NET Passport, and that, because of a de facto monopoly, Microsoft may shortly charge a high price for what are still for the time being free services?

4. Is it lawful for a dominant firm to build up a very extensive database of personal information? Is .NET Passport registered with national agencies supervising the application of privacy legislation? Is registration mandatory in every Member State? Does such a requirement also apply where the database is not located on the territory of an EU Member State?

5. Can national or European criminal investigators make use of the information collected without prior consent of the individuals concerned or the courts?

6. According to the Commission, is there any call for further regulation in order to make abuses by interested parties or subversion of current privacy rules impossible?

E-0718/02EN
Answer given by Mr Bolkestein
on behalf of the Commission
(7 May 2002)

1-3. The Commission is indeed aware of Microsoft's .NET Passport system and of its alleged capabilities and shares some of the Honourable Member's concerns. It is looking into this as a matter of priority, in concertation with national data protection authorities, as regards the system's compatibility (or not) with EU data protection law.

4. A company operating in the Union is subject to Community law and may build up a database of personal information, provided the obligations laid down in Directive 95/46/EC of the Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are respected. These include having a specific, legitimate purpose, informing the individual of identity of the controller of the data, of the purpose of collection and the rights individual has, such as the right to access his/hers own personal data. In cases where consent for processing is required, the Directive requires that it be unambiguous and freely given. The Directive also lays down the obligation to notify such processing operations to national data protection authorities. But the directive also provides for some exemptions from the notification obligation. The Commission is not at present in a position to say whether this processing operation has been notified within the Community.

The question of whether and to what extent the Directive applies to a data base (or in the terms of the Directive a data controller) located outside the Union, especially where data is collected directly from data subjects via the Internet, is a complex one which the Commission and national data protection authorities are at present examining carefully. Article 4.1(c) of the Directive provides for its application where a controller makes use of equipment, automated or otherwise, situated on the territory of a Member State, which means that the Directive does at least in some cases apply to controllers outside the Community. Furthermore specific national rules concerning a third country in which the controller is established may also apply and be enforceable within that jurisdiction. In this respect, Microsoft has notified the US Department of Commerce that it adheres to a privacy policy that meets the Safe Harbor framework.

5. On the basis of legislative measures, criminal investigators can make use of information collected without the prior consent of the individuals concerned or the courts, provided that the rights of defence of the individuals concerned are respected and that the restriction to the right to privacy is strictly necessary for the purpose of the criminal investigation. The information collected during the investigation may moreover only be used to the extent necessary for those purposes.

6. In accordance with Article 33 of the Directive, the Commission is examining the application of Directive 95/46/EC and expects to make a report before the end of the year. The subversion of current rules will be looked into in that context.

Re:A Considerable Knowledge of Dictionaries

[toadnine]

Nope, pot isn't legal... but we got a very special word for it... it is 'gedoogd'. Kind of 'fair use' principle. It's still illegal, but if you only have 2 plants in your bedroom or only a few grams of hash/weed with you, the police won't do anything.

The party of Erik Meijer (SP), the guy who asked that question, _is_ pro full legalisation of softdrugs, though :-)

Re:Personal Data Need to be Regulated

[mvdwege]

Nice post. Good to see the moderators were awake on this one.

Basically what you are describing is the EU Privacy Directive. The gist of the Directive is that companies may not store information on you without telling what they need it for, and not more information than is necessary for the purposes they state. Additionally, they are not allowed to give out your data to third parties without express prior consent. The national laws that implement this directive are backed up by the governments. Some are a little easy on violators, but others are terrifyingly strict.

That's why I submitted this story in the first place; there have been a lot of stories lately about how companies treat personal information, and this was a nice way to show that somewhere in the world there are laws against this, and governments willing to back them up. I think the EU is a bureaucratic monstrosity sometimes, but this they got right.

Mart